One-stop-shop likely to stay in the EU DP Regulation?

The EU Data Protection draft Regulation proposes a one-stop-shop so that companies running a business in more than one EU Member State may, in future, work to one's country's interpretation of the Regulation. The country would be where the company has its "main establishment." Several national DP Authorities (DPAs), for example, in France and Spain, have criticised this proposal as being good for companies but bad for individuals. The customers or other individuals would be distant from the DPA which would often work in a different language when individuals seek redress for problems and breaches of laws.

However, Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship, made it clear this week that she wants the one stop shop to stay in the Regulation. Companies will deal with just one DP Authority regardless of how many EU countries they operate in. "Legal certainty will exist in the form of consistency mechanism which will ensure that there are no contradictions," she said. Reding continued to say that in addition to scrapping notification to DPAs, the Commission is planning more measures to cut red tape for business. The new Regulation will take more of a risk-based approach, and be less prescriptive than the draft proposal.

She strongly rejected the idea that there would be separate regimes for private and public sectors, as suggested by some stakeholders. Reding said that she is willing to sacrifice many of the proposed delegated and implementing acts and to look at other options, such as adding detail into the actual text, issue codes of conduct, or use the consistency mechanism. This would mean that national DPAs could issue guidelines and recommendations to ensure consistent application of the Regulation.

Reding spoke at the Forum Europe Data Protection Conference in Brussels on 4 December. Read more about the proposed changes to the EU DP draft Regulation in the next PL&B International Report, to be published 13 December.